Skip to content

Commit fcfc836

Browse files
joefarebrotherjoefarebrother
committed
Java: Add tests for ExecTainted
1 parent b6cf1cc commit fcfc836

File tree

7 files changed

+97
-0
lines changed

7 files changed

+97
-0
lines changed

java/ql/test/query-tests/security/CWE-078/ExecRelative.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| Test.java:50:46:50:49 | "ls" | Command with a relative path 'ls' is executed. |

java/ql/test/query-tests/security/CWE-078/ExecRelative.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE/CWE-078/ExecRelative.ql

java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
edges
2+
| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... |
3+
| Test.java:6:35:6:44 | arg : String | Test.java:10:29:10:74 | new String[] |
4+
| Test.java:6:35:6:44 | arg : String | Test.java:18:29:18:31 | cmd |
5+
| Test.java:6:35:6:44 | arg : String | Test.java:24:29:24:32 | cmd1 |
6+
| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... |
7+
| Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String |
8+
| Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String |
9+
| Test.java:60:20:60:22 | arg : String | Test.java:6:35:6:44 | arg : String |
10+
| Test.java:61:23:61:25 | arg : String | Test.java:28:38:28:47 | arg : String |
11+
nodes
12+
| Test.java:6:35:6:44 | arg : String | semmle.label | arg : String |
13+
| Test.java:7:44:7:69 | ... + ... | semmle.label | ... + ... |
14+
| Test.java:10:29:10:74 | new String[] | semmle.label | new String[] |
15+
| Test.java:18:29:18:31 | cmd | semmle.label | cmd |
16+
| Test.java:24:29:24:32 | cmd1 | semmle.label | cmd1 |
17+
| Test.java:28:38:28:47 | arg : String | semmle.label | arg : String |
18+
| Test.java:29:44:29:64 | ... + ... | semmle.label | ... + ... |
19+
| Test.java:57:27:57:39 | args : String[] | semmle.label | args : String[] |
20+
| Test.java:60:20:60:22 | arg : String | semmle.label | arg : String |
21+
| Test.java:61:23:61:25 | arg : String | semmle.label | arg : String |
22+
#select
23+
| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:44:7:69 | ... + ... | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
24+
| Test.java:10:29:10:74 | new String[] | Test.java:57:27:57:39 | args : String[] | Test.java:10:29:10:74 | new String[] | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
25+
| Test.java:18:29:18:31 | cmd | Test.java:57:27:57:39 | args : String[] | Test.java:18:29:18:31 | cmd | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
26+
| Test.java:24:29:24:32 | cmd1 | Test.java:57:27:57:39 | args : String[] | Test.java:24:29:24:32 | cmd1 | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |
27+
| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:44:29:64 | ... + ... | $@ flows to here and is used in a command. | Test.java:57:27:57:39 | args | User-provided value |

java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE/CWE-078/ExecTaintedLocal.ql

java/ql/test/query-tests/security/CWE-078/ExecUnescaped.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
| Test.java:7:44:7:69 | ... + ... | Command line is built with string concatenation. |
2+
| Test.java:29:44:29:64 | ... + ... | Command line is built with string concatenation. |

java/ql/test/query-tests/security/CWE-078/ExecUnescaped.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE/CWE-078/ExecUnescaped.ql

java/ql/test/query-tests/security/CWE-078/Test.java

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
import java.lang.ProcessBuilder;
2+
import java.util.List;
3+
import java.util.ArrayList;
4+
5+
class Test {
6+
public static void shellCommand(String arg) {
7+
ProcessBuilder pb = new ProcessBuilder("/bin/bash -c echo " + arg);
8+
pb.start();
9+
10+
pb = new ProcessBuilder(new String[]{"/bin/bash", "-c", "echo " + arg});
11+
pb.start();
12+
13+
List<String> cmd = new ArrayList<String>();
14+
cmd.add("/bin/bash");
15+
cmd.add("-c");
16+
cmd.add("echo " + arg);
17+
18+
pb = new ProcessBuilder(cmd);
19+
pb.start();
20+
21+
String[] cmd1 = new String[]{"/bin/bash", "-c", "<cmd>"};
22+
cmd1[1] = "echo " + arg;
23+
24+
pb = new ProcessBuilder(cmd1);
25+
pb.start();
26+
}
27+
28+
public static void nonShellCommand(String arg) {
29+
ProcessBuilder pb = new ProcessBuilder("./customTool " + arg);
30+
pb.start();
31+
32+
pb = new ProcessBuilder(new String[]{"./customTool", arg});
33+
pb.start();
34+
35+
List<String> cmd = new ArrayList<String>();
36+
cmd.add("./customTool");
37+
cmd.add(arg);
38+
39+
pb = new ProcessBuilder(cmd);
40+
pb.start();
41+
42+
String[] cmd1 = new String[]{"./customTool", "<arg>"};
43+
cmd1[1] = arg;
44+
45+
pb = new ProcessBuilder(cmd1);
46+
pb.start();
47+
}
48+
49+
public static void relativeCommand() {
50+
ProcessBuilder pb = new ProcessBuilder("ls");
51+
pb.start();
52+
53+
pb = new ProcessBuilder("/bin/ls");
54+
pb.start();
55+
}
56+
57+
public static void main(String[] args) {
58+
String arg = args.length > 1 ? args[1] : "default";
59+
60+
shellCommand(arg);
61+
nonShellCommand(arg);
62+
relativeCommand();
63+
}
64+
}

0 commit comments

Comments
 (0)